[clamav-users] Difficult malwarefiles - signature too short
Hajo Locke
Hajo.Locke at gmx.de
Tue Nov 3 09:19:29 UTC 2015
Hello,
Am 02.11.2015 um 19:08 schrieb Kris Deugau:
> G.W. Haywood wrote:
>> Hi there,
>>
>> On Mon, 2 Nov 2015, Hajo Locke wrote:
>>
>>> ... It seems to be so easy for a php-programmer to generate infinite
>>> number of malwarefiles ...
>> That's correct.
>>
>> Any .php file sent here goes straight to /dev/null without inspection.
very luxurious life ;)
> I can't say I've seen PHP randomly splattered around by email (unlike
> Javascript or Windows executables, very little will even recognize it
> never mind auto-execute it); I'm guessing the OP is scanning customer
> webhosting content.
>
> Customers will get very unhappy if you blindly delete all PHP files from
> their webhosting account...
yes, that's correct.
There are a lot of unsecure CMS which are abused to upload php-malware
to sent spam etc.
its difficult to find correct ones and leave harmles files alone until
costumer has updated his system.
i now have a set of signatures, but iam unhappy with them. i do some
testscans on servers to check how many FP i will get. As yet no one.
tried to work without wildcards in my signature, just limited variable
spaces between significant text.
Is there a possibility to create whitespacefree normalised base-files?
its too easy for php programmers to create new files. for example this
"$aat03[11]." ist not the same like "$aat03[11] ." because of whitespace
before ".".
Hmm, with whitespacefree normalised files it would be easier to create
signatures for this chained arrayelements in small spaces or for the
significant "eval{-15}(${$" instead of "(${ $", "( ${$", "( $ {
$"...... etc.
>
> -kgd
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Thanks,
Hajo
More information about the clamav-users
mailing list